On Mon, 2021-09-27 at 19:44 +0900, Minjae Kim wrote: > vim is vulnerable to Heap-based Buffer Overflow > > reference: > https://github.com/vim/vim/commit/65b605665997fad54ef39a93199e305af2fe4d7f > --- > .../vim/files/CVE-2021-3778.patch | 49 +++++++++++++++++++ > meta/recipes-support/vim/vim.inc | 1 + > 2 files changed, 50 insertions(+) > create mode 100644 meta/recipes-support/vim/files/CVE-2021-3778.patch > > diff --git a/meta/recipes-support/vim/files/CVE-2021-3778.patch > b/meta/recipes-support/vim/files/CVE-2021-3778.patch > new file mode 100644 > index 0000000000..9cb61a6ac7 > --- /dev/null > +++ b/meta/recipes-support/vim/files/CVE-2021-3778.patch > @@ -0,0 +1,49 @@ > +From eb41373c8c88b0789e5cf04669d6116f9a199264 Mon Sep 17 00:00:00 2001 > +From: Minjae Kim <[email protected]> > +Date: Sun, 26 Sep 2021 23:48:00 +0000 > +Subject: [PATCH] patch 8.2.3409: reading beyond end of line with invalid > utf-8 > + character > + > +Problem: Reading beyond end of line with invalid utf-8 character. > +Solution: Check for NUL when advancing. > + > +Upstream-Status: Accepted > [https://github.com/vim/vim/commit/65b605665997fad54ef39a93199e305af2fe4d7f] > +CVE: CVE-2021-3778 > +Signed-off-by: Minjae Kim <[email protected]> > +--- > + src/regexp_nfa.c | 3 ++- > + src/testdir/test_regexp_utf8.vim | 7 +++++++ > + 2 files changed, 9 insertions(+), 1 deletion(-) > + > +diff --git a/src/regexp_nfa.c b/src/regexp_nfa.c > +index fb512f961..4d337f1f1 100644 > +--- a/src/regexp_nfa.c > ++++ b/src/regexp_nfa.c > +@@ -5455,7 +5455,8 @@ find_match_text(colnr_T startcol, int regstart, char_u > *match_text) > + match = FALSE; > + break; > + } > +- len2 += MB_CHAR2LEN(c2); > ++ len2 += enc_utf8 ? utf_ptr2len(rex.line + col + len2) > ++ : > MB_CHAR2LEN(c2); > + } > + if (match > + // check that no composing char follows > +diff --git a/src/testdir/test_regexp_utf8.vim > b/src/testdir/test_regexp_utf8.vim > +index 19ff882be..e0665818b 100644 > +--- a/src/testdir/test_regexp_utf8.vim > ++++ b/src/testdir/test_regexp_utf8.vim > +@@ -215,3 +215,10 @@ func Test_optmatch_toolong() > + set re=0 > + endfunc > + > ++func Test_match_invalid_byte() > ++ call writefile(0z630a.765d30aa0a.2e0a.790a.4030, 'Xinvalid') > ++ new > ++ source Xinvalid > ++ bwipe! > ++ call delete('Xinvalid') > ++endfunc > +-- > +2.17.1 > + > diff --git a/meta/recipes-support/vim/vim.inc > b/meta/recipes-support/vim/vim.inc > index 7e9225fbcb..db1e9caf4d 100644 > --- a/meta/recipes-support/vim/vim.inc > +++ b/meta/recipes-support/vim/vim.inc > @@ -18,6 +18,7 @@ SRC_URI = "git://github.com/vim/vim.git \ > file://no-path-adjust.patch \ > file://racefix.patch \ > file://b7081e135a16091c93f6f5f7525a5c58fb7ca9f9.patch \ > + file://CVE-2021-3778.patch \ > " > > SRCREV = "98056533b96b6b5d8849641de93185dd7bcadc44"
Thanks for the patch, I'd like to get this CVE fixed for master. Unfortunately the patch doesn't seem to apply? ERROR: vim-8.2-r0 do_patch: Command Error: 'quilt --quiltrc /media/build1/poky/build/tmp/work/core2-64-poky-linux/vim/8.2-r0/recipe-sysroot-native/etc/quiltrc push' exited with 0 Output: stdout: Applying patch CVE-2021-3778.patch patching file src/regexp_nfa.c Hunk #1 FAILED at 5455. 1 out of 1 hunk FAILED -- rejects in file src/regexp_nfa.c patching file src/testdir/test_regexp_utf8.vim Patch CVE-2021-3778.patch does not apply (enforce with -f) stderr: ERROR: Logfile of failure stored in: /media/build1/poky/build/tmp/work/core2-64-poky-linux/vim/8.2-r0/temp/log.do_patch.45096 ERROR: Task (/media/build1/poky/meta/recipes-support/vim/vim_8.2.bb:do_patch) failed with exit code '1' Cheers, Richard
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#156403): https://lists.openembedded.org/g/openembedded-core/message/156403 Mute This Topic: https://lists.openembedded.org/mt/85897206/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
